2015-09-22 00:31 atommann has quit [Ping timeout: 246 seconds] 2015-09-22 01:14 archang has quit [Remote host closed the connection] 2015-09-22 01:14 archang has joined #qi-hardware 2015-09-22 01:45 atommann has joined #qi-hardware 2015-09-22 02:39 wpwrak: https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Speaker%20%20Workshop%20Materials/Lin%20Huang%20&%20Qing%20Yang/DEFCON-23-Lin-Huang-Qing-Yan 2015-09-22 02:39 g-GPS-Spoofing.pdf 2015-09-22 02:39 argh 2015-09-22 02:41 https://media.defcon.org/DEF%20CON%2023/DEF%20CON%2023%20presentations/Lin%20Huang%20&%20Qing%20Yang/DEFCON-23-Lin-Huang-Qing-Yang-GPS-Spoofing.pdf 2015-09-22 02:42 wpwrak: http://navspark.mybigcommerce.com/navspark-mini-uart-to-usb-adapter/ if you want give a try.. 2015-09-22 02:42 its freebie 2015-09-22 02:46 now this module has glonass, soo better changes to avoid spoofing 2015-09-22 02:54 archang has quit [Remote host closed the connection] 2015-09-22 03:57 nicksydney has quit [Quit: No Ping reply in 180 seconds.] 2015-09-22 03:59 nicksydney has joined #qi-hardware 2015-09-22 04:24 archang has joined #qi-hardware 2015-09-22 04:47 and since you can talk with the gps, there is an open room for location spoofing detecto 2015-09-22 04:48 s/defecto/detection 2015-09-22 05:52 how is glonass more hardened against spoofing? (btw I wonder what's the usecase to have geolocate-locked keys anyway) 2015-09-22 05:56 actually GNSS-spoofing should be pretty simple, at least for the civil unencrypted part. I'm not sure how secure the SA-encrypted part would be, but taking into account how they brought down some drones I'd think nobody ever thought about anybody being that bold to fake GPS signals ;-P Same as it ever was. See GSM and every other infra, where usually the authorities-controlled infra been considered secure-per-se and nobody thought 2015-09-22 05:56 about proper authenzication of servers, only about authentication of clients 2015-09-22 06:01 but honestly I'm just pissed enough when it comes to GNSS-based geolocation *assistence* to find next bus stop and the time schedule of the bus there. For the life of mine I couldn't figure a usecase scenario where I want a crypto solution *relying* on geolocation 2015-09-22 06:05 switching to another sorting sequence (locally most recently used key first) in UI list of keys is all I could come up with for a usecase of GNSS in Anelok 2015-09-22 06:08 implementing OPIE ,and proper URL detection support and even challenge-response auth via optical means to read out QR or similar on screen, in Anelok sounds way more useful 2015-09-22 06:12 for URL detection on arbitrary webpages via a dedicated server that exploits $referrer I think I already suggested some details, which would make for a really great unique selling point for Anelok 2015-09-22 06:15 F6; 'anel.ok'ENTER ; ; ENTER - or back-button (to return to the previous page that requested a password entry) 2015-09-22 06:16 dunno if that would actually work that flawlessly to return to an input mask with multiple textboxes that way 2015-09-22 06:17 alas nope, it clears the already filled in values in such multi-textbox forms 2015-09-22 06:20 so your anelok not only needs to store the password value but actually should playback the complete set of values needed for that form, or you need to do the F6 etc dance as soon as you enter such webpage that eventually needs a password 2015-09-22 06:21 e.g. when you log in where also a captcha is needed, you first go to anel.ok and THEN return to page, fill in captcha, username and password 2015-09-22 06:37 wtf? .ok TLD not registered yet? 2015-09-22 06:38 I wonder when they register .exe TLD 2015-09-22 06:39 either someone grabbed it and it's not easy to find out about the fact, or there must be some special quirks with .ok. Anyway for anelok there's stil all from a.nelok to ane.lok 2015-09-22 06:44 apropos... (not really, since it's not exactly .exe...) could it fly to make anelok serve a HTTPS:// page that serves as a framework for automatically detecting and providing passwords? I.E. you would open this https://anelok page (ideally served from anelok dongle itself?? file://usb:index.html ?) and then enter the URL of your online banking site or whatever and anelok detects it automatically? 2015-09-22 06:45 no, that would be an XSS vulnerability 2015-09-22 06:45 :nod: 2015-09-22 06:46 though, maybe not realy when anelok page first tells anelok dongle about URL and then properly does a forward to that page 2015-09-22 06:47 you can't enter a password like that 2015-09-22 06:47 hell, it's often hard to enter a password if you have a legit password manager, because banks are stupid 2015-09-22 06:48 no, i'm not planning to enter the password like that. Anelok already has means to enter password, either by reading it from disply and manually typing it, or by playback when anelok emulates a kbd 2015-09-22 06:49 I'm just thinking about making anelok aware about the required password 2015-09-22 06:49 once you got 30 or 50 passwords stored on anelok, it becomes a PITA to select the one you need right now 2015-09-22 06:50 anelok knowing about the URL you are just looking at would be a great hint to offer the right (set of) password(s to select from) 2015-09-22 06:52 *entering* the password is a completely unrelated issue 2015-09-22 06:53 ah, yeah, that works 2015-09-22 06:54 ok, when you connect anelok between PC and kbd like a keylogger then it of course has no problem guessing which password you might need now (unless you used mouse to click on bookmarks or the like) 2015-09-22 06:57 then otoh bookmarks make my formerly sketched aproach fail as well 2015-09-22 06:57 um, yes, of course i would not ever type the full URL there 2015-09-22 06:58 click.alfabank.ru is how I always do this 2015-09-22 06:58 ut for the (raher common) situation where anelok is just-another-usb-dongle and the kbd is connected directly to PC, it might work 2015-09-22 06:58 not to mention you have no clue what the context is 2015-09-22 06:58 imagine sending someone a link to google.com and having anelok enter your google password? 2015-09-22 06:59 and you also don't know what the keyboard layout is 2015-09-22 06:59 anelok never *automaticaly* adds a password 2015-09-22 06:59 ok, two other issues still stand 2015-09-22 06:59 for keylogger the layout is a pest, yeah 2015-09-22 07:00 for the ... lemme call it "URL input screen" layout is irrelevant 2015-09-22 07:01 but of course won't fly when you enter the URL to address field of browser directly 2015-09-22 07:01 you can surely use a browser extension 2015-09-22 07:01 heck, we need OCR in anelok ;-D 2015-09-22 07:01 Chrome now has WebUSB 2015-09-22 07:01 so you don't even have to pretend that you're a webpage 2015-09-22 07:01 sounds good 2015-09-22 07:02 except for "crome" 2015-09-22 07:02 Chromium and Firefox too 2015-09-22 07:02 chrome even 2015-09-22 07:02 ooh 2015-09-22 07:03 Firefox is not really there yet, but it will probably be at some point 2015-09-22 07:03 in Chromium that's usable right now, Yubikey uses it 2015-09-22 07:03 I guess 'installing' such plugin still is quite some overhead not competitive with the fiddly picking of right password from anelok's UI directly? 2015-09-22 07:03 why? you could make it as light as the browser's builtin autocomplete 2015-09-22 07:03 you can do whatever you want with the webpages 2015-09-22 07:04 from a plugin 2015-09-22 07:04 err, do plugins autoinstall? 2015-09-22 07:04 no 2015-09-22 07:04 as soon as you plug in anelok? 2015-09-22 07:04 but you only have to install it once 2015-09-22 07:05 yes, but that's not the point. For one-time installation the stuff to install can get arbitrarily complex. But that's not really the major usecase for anelok, I'd use a software password-keeper for that then 2015-09-22 07:05 ah, hm 2015-09-22 07:06 anelok primary usecase is on-the-go 2015-09-22 07:06 right. you would want a composite device: expose a keyboard and a CDC-Ethernet 2015-09-22 07:07 well, maybe not. Maybe it's "use anelok at home and you're ready for OTG" 2015-09-22 07:07 of course you will immediately bump into various computers not allowing installation under unprivleged user 2015-09-22 07:07 yep 2015-09-22 07:07 anyway, time to have that walk to my appointment 2015-09-22 07:08 both for the appointment as well as for the "start my day" and "have a fine walk" 2015-09-22 07:08 and the "get a break from PC" 2015-09-22 07:09 :-) 2015-09-22 07:09 BBL 2015-09-22 07:11 archang has quit [Ping timeout: 246 seconds] 2015-09-22 07:12 archang has joined #qi-hardware 2015-09-22 07:34 jekhor has joined #qi-hardware 2015-09-22 07:41 mithro has quit [K-Lined] 2015-09-22 07:44 mithro has joined #qi-hardware 2015-09-22 07:53 pcercuei has joined #qi-hardware 2015-09-22 08:28 archang has quit [Remote host closed the connection] 2015-09-22 08:42 archang has joined #qi-hardware 2015-09-22 08:45 pcercuei has quit [Ping timeout: 244 seconds] 2015-09-22 08:56 rodgort has quit [Ping timeout: 240 seconds] 2015-09-22 09:00 rodgort has joined #qi-hardware 2015-09-22 10:15 jekhor has quit [Remote host closed the connection] 2015-09-22 10:48 atommann has quit [Ping timeout: 256 seconds] 2015-09-22 11:06 arossdotme-planb has quit [Ping timeout: 256 seconds] 2015-09-22 11:11 jwhitmore has joined #qi-hardware 2015-09-22 11:19 arossdotme-planb has joined #qi-hardware 2015-09-22 12:02 dandon has quit [Ping timeout: 272 seconds] 2015-09-22 13:21 whitequark: (webusb) hmm, so a device - e.g., a password safe - isn't expected to be able to protect itself. that doesn't sound too nice. 2015-09-22 13:24 ah, you guys were already discussing anelok :) 2015-09-22 13:28 so far, i've been thinking of using hidapi for such things. but webusb could be a nice alternative 2015-09-22 13:38 atommann has joined #qi-hardware 2015-09-22 13:43 i wonder what the "origin" of a browser plugin would be. e.g., if you install a plugin from anelok.com and that plugin becomes active when visiting fakebook.com/login, would a webusb device have to permit one of anelok.com and fakebook.com, or maybe both ? 2015-09-22 13:58 don't ask me, no clue about that stuff 2015-09-22 14:01 what do you think of a mail like that (excerpt, sourcetext. The HTML alternative part stub at end looks extremely fishy... I truncated it, it is 100 times as much of same gibberish) http://paste.opensuse.org/31289181 2015-09-22 14:04 new task card: https://gitlab.com/anelok/doc/wikis/Task_webusb 2015-09-22 14:06 Received: from unknown (HELO ns.km20319-04.keymachine.de) hmm :) 2015-09-22 14:07 yep 2015-09-22 14:07 i guess it would be interesting what is behind "Verifizierung jetzt durchführen" 2015-09-22 14:07 in any case, is there is something amiss, you ought to be able to see it on your account 2015-09-22 14:08 I wasn't able to parse that shit and I don't dare to try to hand it to a web browser 2015-09-22 14:08 on account there was no new doom announced 2015-09-22 14:08 or just ask support whether ns.km20319-04.keymachine.de is anything they use 2015-09-22 14:09 hmm, you think a 30 minutes elevator muzak is worth it? I guess they can't answer such question 2015-09-22 14:09 don't they have mail or form access ? 2015-09-22 14:10 err, well. Prolly they have a web form to contact them 2015-09-22 14:10 you cuold also check if any other mails frmo paypal.com came from similar-looking sources 2015-09-22 14:10 THAT is a nice idea 2015-09-22 14:12 rodgort has quit [Ping timeout: 240 seconds] 2015-09-22 14:12 Received: from mx0.slc.paypal.com ([173.0.84.225]) by mx-ha.web.de (mxweb001) 2015-09-22 14:14 jwhitmore has quit [Ping timeout: 246 seconds] 2015-09-22 14:16 rodgort has joined #qi-hardware 2015-09-22 14:20 ok, I found other similar rogue mails in my inbox, all with wrong addressee and same gibberish HTML code inside 2015-09-22 14:21 thanks! 2015-09-22 14:23 bastards. where are extrajudicial executions when we need them ? :) 2015-09-22 14:25 atommann has quit [Quit: Leaving] 2015-09-22 14:30 one mail was a fake payment notification which claimed I'd have paid for a car or somesuch, or car parts 2015-09-22 14:35 hehe :) 2015-09-22 14:35 SICELO arrive3d \o/ 2015-09-22 14:36 have fun ! :) 2015-09-22 15:15 jwhitmore has joined #qi-hardware 2015-09-22 15:40 archang has quit [Remote host closed the connection] 2015-09-22 15:47 dandon has joined #qi-hardware 2015-09-22 16:07 sandeepkr has joined #qi-hardware 2015-09-22 17:19 wildlander has joined #qi-hardware 2015-09-22 19:45 arossdotme-planb has quit [Ping timeout: 256 seconds] 2015-09-22 19:58 arossdotme-planb has joined #qi-hardware 2015-09-22 21:00 sandeepkr has quit [Ping timeout: 250 seconds] 2015-09-22 22:26 hackvana has quit [Ping timeout: 252 seconds] 2015-09-22 22:26 newcup has quit [Ping timeout: 252 seconds] 2015-09-22 22:26 hackvana- has joined #qi-hardware 2015-09-22 22:26 hackvana- is now known as hackvana 2015-09-22 22:28 dos1 has quit [Ping timeout: 252 seconds] 2015-09-22 22:28 dos1 has joined #qi-hardware